Splunk Search

similar searches using report acceleration

Splunk Employee
Splunk Employee

Hello,

We have one search search that pulls back a large set of data for 30 days and is accelerated. In planning, I was under the assumption that Splunk would attempt to use the accelerated search to help speed up additional similar searches but it does not appear to.

Here is the original search:

index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia | timechart avg(ResponseTime) by TriggerName useother=f

But then In my dashboard I try to filter this down further on host, TriggerName, App, etc by passing in searches similar to the one accelerated through a drop down hoping that splunk would recognize it to be similar and to take advantage of the acceleration but it doesn't. For example one of my new searches would be: index=cerner host=h1* Application=powerchart TriggerName="USR:PWR-Application Startup" | timechart avg(ResponseTime) by TriggerName | addtotals. Still the same concept but just narrowed down. Essentially I was trying to make this dynamic without having to make 20+ saved accelerated searches.

Any ideas on how this could work or am i looking at it from the wrong angle?

Thanks!

0 Karma

Path Finder

@aaronkorn I see you're using Splunk with Cerner. We are currently in the process of rolling out Splunk for infrastructure uses, but in the near future we will want to use Splunk with our EHR system (we will be switching to either Epic or Cerner in the next several months) and was hoping to chat with you about how you are using Splunk with Cerner. If you're willing, please email me as I'd greatly appreciate it! I'm really trying to push Splunk for this instead of adding another product such as FairWarning. My email is Derek.Horn@bhsi.com

Thanks!

0 Karma

Splunk Employee
Splunk Employee

Those two searches are too different to both use the same acceleration summary. If both searches started with

index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia

but were transformed in different ways, they could both use the same summary because they're essentially working off of the exact same dataset. I know the second search is essentially returning a subset of the information returned by the first one, but the current implementation of report acceleration will see them as working with two distinctly different datsets.

The docs around this aspect of report acceleration could probably be a bit clearer--as the primary doc writer on this topic I'll see what I can do.

Splunk Employee
Splunk Employee

Did you verify on the Report Acceleration Summaries page that this new search was using the same summary as the original? If this was the case but you added more arguments to the base search (more filters from the drop down or whatever) then maybe it's not accelerating because it needs to rebuild the summary to include the events that would be returned by those new filters.

0 Karma

Splunk Employee
Splunk Employee

Thanks for the response. If my search was something like this index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia | timechart avg(ResponseTime) by TriggerName useother=f would that work? I gave it a shot and it said it looked familiar to my original accelerated search but it did not inherit the speed. Any ideas?

0 Karma